Cybersecurity lawyers can help handle a variety of enterprise security issues, but are they necessary? Expert Mike O. Villegas discusses the potential benefits.

I heard that some industries, such as financial and healthcare organizations, are starting to keep cybersecurity lawyers on retainer. With so many different security practices and standards to keep up with, including compliance and privacy policies, it sounds like a good idea. Before we spend the money on a cybersecurity lawyer or law firm, do you think it's necessary? And if so, what enterprise issues should they focus on?

Internal legal teams are becoming increasingly educated in cybersecurity, but they will still call on cybersecurity lawyers for assistance when a security incident occurs. The threat of security breaches constantly grows in frequency and complication, so it is no wonder that enterprises are starting to hire cybersecurity lawyers or keep them on retainer. But is this really necessary? It may not be necessary to hire a cybersecurity lawyer for the organization, but keeping one on retainer is probably a good idea.

An attorney retainer is an estimated amount of money an attorney believes that will cover the costs of legal representation in the event of a breach. The money is held in a noninterest-bearing account and the lawyers pay themselves with it for billable hours throughout the litigation process.

Retainer fees are also used when a client needs to hire an attorney for a long-term relationship. For example, companies can have cybersecurity lawyers on retainer in the event a breach or cybersecurity incident in the course of the business' everyday work. Cybersecurity attorneys need a sufficient retainer to be called upon when needed, but it doesn't need to cover an entire litigation -- whether or not that will be necessary cannot be determined until the security breach or major incident occurs. The attorneys kept on retainer for these cases need to be specialists in cybersecurity and have experience in possible breaches that could occur within the specific industry and enterprise. This type of retainer provides a less expensive alternative to hiring an in-house legal team specializing in cybersecurity.

Issues that cybersecurity lawyers can assist include:

Cybersecurity insurance coverage: Since cybersecurity insurance companies are limiting coverage because of recurring breaches, and are now questioning whether due diligence was taken by the enterprises as part of the insurance policy, a cybersecurity specialist can help ensure the company has sufficient insurance coverage.

Cybersecurity breach: When a breach occurs, cybersecurity lawyers can determine what recourse the enterprise has for litigation against the perpetrator, communication with stockholders and customers, possible legal and regulatory violations, and guidance on dealing with media relations.

Cybersecurity forensics: Cybersecurity forensic professionals typically know how to manage the chain of evidence, but eventually a cybersecurity lawyer needs to determine how to use this evidence for possible litigation.

Cybersecurity lawsuits: This includes situations where the enterprise has been alleged or proven to mishandle or be negligent in the protection of customer information or assets.

Cybersecurity executive protection: Due to certain laws and regulations, enterprise executives, including the CISO, bear personal liability for breaches and major cybersecurity incidents. Cybersecurity lawyers can provide assistance in limiting their liability and possible litigation.

Cybersecurity law firms engage subject matter experts in cybersecurity forensics, cybersecurity laws, media relations and liability insurance. In light of recurring and ever increasing data breaches and regulatory requirements, having cybersecurity lawyers either on retainer or on staff is becoming a normal matter of doing business.

Join the conversation

5 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please create a username to comment.

The answer to whether cyber security lawyers are needed is an absoluteyes in my opinion. When you’re in trouble, you need the right kind of help –not just help in general. Otherwise, you’ll find it costs you more and probablyhurts you more as well. Whether the lawyer needs to be on a retainer is aseparate item. If you need a cybersecurity lawyer, do you need them that day ora few days later? It seems like in most cases you can wait a couple days as youshould be spending Day 1 (and probably Day 2+) determining what was hacked andhow. So, instead of investing in a retainer for a lawyer, you should probablyinvest in the right people or equipment that help you determine how you werebreached. Check out this whitepaper for more information - https://www.ixiacom.com/resources/white-paper-architecting-security-resilience.

The answer to whether cyber security lawyers are needed is an absolute yes in my opinion. When you’re in trouble, you need the right kind of help – not just help in general. Otherwise, you’ll find it costs you more and probably hurts you more as well. Whether the lawyer needs to be on a retainer is a separate item. If you need a cybersecurity lawyer, do you need them that day or a few days later? It seems like in most cases you can wait a couple days as you should be spending Day 1 (and probably Day 2+) determining what was hacked and how. So, instead of investing in a retainer for a lawyer, you should probably invest in the right people or equipment that help you determine how you were breached.

I would say yes. You want a specialized lawyer who knows this area in great detail. It only makes sense to hire someone with the correct skill set. Would you want a personal injury handling your divorce? Of course not. You want someone who asks the right questions and can protect your companies digital assets. Having one permanently on staff may not be cost effective, but have someone you can trust when needed and fast. You don't want to have to wait a week for them to be available.